mitre-attack · peasead · Mar 26, 2019 · Apr 1, 2019 · Apr 9, 2019 · Apr 9, 2019
diff --git a/implementations/bzar/bzar_dce-rpc.bro b/implementations/bzar/bzar_dce-rpc.bro
@@ -220,8 +220,7 @@ export
 }
 #end export
 
-
-event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=3
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=3
 {
 	# priority==3 ... We want to execute before writing to dce_rpc.log
 	# because default Bro script deletes 'c$dce_rpc' after writing to log

diff --git a/implementations/bzar/bzar_smb.bro b/implementations/bzar/bzar_smb.bro
@@ -36,7 +36,6 @@ export
 	# overwritten in its entirety, or just a smaller sub-section is
 	# overwritten, which would be an interesting diagnostic to detect.
 
-	redef SMB::write_cmd_log	=  T &redef;
 	redef SMB::logged_file_actions	+= { SMB::FILE_WRITE, } &redef;
 
 	redef record SMB::FileInfo	+= 
@@ -119,7 +118,7 @@ function smb_full_path_and_file_name ( s : SMB::State ) : string
 # SMB1 Event Handlers
 #
 
-event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, svc: string) &priority=3
+event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=3
 {
 	# Check if SMB Tree Path is an Admin File Share
 
@@ -135,8 +134,7 @@ event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: str
 	}
 }
 
-
-event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=3
+event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, file_name: string) &priority=3
 {
 	# Copied this snippet from Bro default handler:
 	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
@@ -248,8 +246,7 @@ event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string)
 	}
 }
 
-
-event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=3
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=3
 {
 	# Copied this snippet from Bro default handler:
 	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
@@ -261,18 +258,16 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
 		c$smb_state$current_file$path = c$smb_state$current_tree$path; 
 }
 
-
-event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, data_len: count) &priority=3 
+event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=3
 { 
 	# Keep track of the number of bytes in the Write Response. 
 	# priority==3 ... We want to execute before writing to smb_files.log
 
 	c$smb_state$current_file$data_offset_req = offset;
-	c$smb_state$current_file$data_len_req    = data_len;
+	c$smb_state$current_file$data_len_req    = length;
 } 
 
-
-event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, data_len: count) &priority=-7 
+event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)
 {
 	# NOTE: Preference would be to detect 'smb2_write_response' 
 	#       event (instead of 'smb2_write_request'), because it 

diff --git a/implementations/bzar/main.bro b/implementations/bzar/main.bro
@@ -1,17 +1,27 @@
 #
 # File: main.bro
 # Created: 20180701
-# Updated: 20190225
+# Updated: 20190409
 #
 # Copyright 2018 The MITRE Corporation.  All Rights Reserved.
 # Approved for public release.  Distribution unlimited.  Case number 18-2489.
 #
 
-@load policy/protocols/smb
-@load base/protocols/dce-rpc
-@load base/frameworks/files
-@load base/frameworks/notice
-@load base/frameworks/sumstats
+@if ( ver <= 2.5.5 )
+		@load policy/protocols/smb
+		@load base/protocols/dce-rpc
+		@load base/frameworks/files
+		@load base/frameworks/notice
+		@load base/frameworks/sumstats
+@endif
+
+@if ( ver >= 2.6 )
+		@load base/protocols/smb
+		@load base/protocols/dce-rpc
+		@load base/frameworks/files
+		@load base/frameworks/notice
+		@load base/frameworks/sumstats
+@endif
 
 module BZAR;
 
@@ -57,7 +67,7 @@ export
 	const ignore_resp_h : set[addr] = {127.0.0.1,} &redef;
 
 	# Enable/Disable File Extraction
-	const file_extract_option = T &redef; 
+	const file_extract_option = T &redef;
 }
 #end export
 
@@ -67,9 +77,9 @@ event bro_init()
 	# 1- SumStats Analytics for ATT&CK Lateral Movement and Execution
 	#
 	# Description:
-	#    Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement 
-	#    indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or 
-	#    C$ only) is observed together with a DCE-RPC Execution indicator against 
+	#    Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement
+	#    indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or
+	#    C$ only) is observed together with a DCE-RPC Execution indicator against
 	#    the same (targeted) host, within a specified period of time.
 	#
 	# Relevant ATT&CK Technique(s):
@@ -79,13 +89,13 @@ event bro_init()
 	# Relevant Indicator(s) Detected by Bro/Zeek:
 	#    (a) smb1_write_andx_response::c$smb_state$path contains ADMIN$ or C$
 	#    (b) smb2_write_request::c$smb_state$path contains ADMIN$ or C$ *
-	#    (c) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
+	#    (c) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains
 	#        any of the following: (see BZAR::rpc_execution set).
-	# 
-	# NOTE: Preference would be to detect 'smb2_write_response' 
-	#       event (instead of 'smb2_write_request'), because it 
-	#       would confirm the file was actually written to the 
-	#       remote destination.  Unfortuantely, Bro/Zeek does 
+	#
+	# NOTE: Preference would be to detect 'smb2_write_response'
+	#       event (instead of 'smb2_write_request'), because it
+	#       would confirm the file was actually written to the
+	#       remote destination.  Unfortuantely, Bro/Zeek does
 	#       not have an event for that SMB message-type yet.
 	#
 	# Globals (defined in main.bro above):
@@ -106,15 +116,15 @@ event bro_init()
 		{
 			return result["attack_lm_ex"]$sum;
 		},
-		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) =
 		{
 			local r = result["attack_lm_ex"];
 
 			# Ensure at least one RPC_EXEC was observed and
 			# at least one SMB_WRITE was observed
 
 			if ( r$max == 1000 && r$min == 1 )
-			{ 
+			{
 				local s = fmt("Detected activity against host %s, total score %.0f within timeframe %s", key$host, r$sum, bzar1_epoch);
 
 				# Raise Notice
@@ -129,9 +139,9 @@ event bro_init()
 	# 2- SumStats Analytics for ATTACK Lateral Movement (Multiple Attempts)
 	#
 	# Description:
-	#    Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral 
+	#    Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral
 	#    Movement indicators (e.g., multiple attempts to connect to a Windows Admin
-	#    File Share: ADMIN$ or C$ only) are observed originating from the same host, 
+	#    File Share: ADMIN$ or C$ only) are observed originating from the same host,
 	#    regardless of write-attempts and regardless of whether or not any connection
 	#    is successful --just connection attempts-- within a specified period of time.
 	#
@@ -160,7 +170,7 @@ event bro_init()
 		{
 			return result["attack_t1077"]$sum;
 		},
-		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) =
 		{
 			local s = fmt("Detected T1077 Admin File Share activity from host %s, total attempts %.0f within timeframe %s", key$host, result["attack_t1077"]$sum, bzar2_epoch);
 
@@ -175,23 +185,23 @@ event bro_init()
 	# 3- SumStats Analytics for ATTACK Discovery
 	#
 	# Description:
-	#    Use SumStats to raise a Bro/Zeek Notice event if multiple instances of 
-	#    DCE-RPC Discovery indicators are observed originating from the same host, 
+	#    Use SumStats to raise a Bro/Zeek Notice event if multiple instances of
+	#    DCE-RPC Discovery indicators are observed originating from the same host,
 	#    within a specified period of time.
 	#
 	# Relevant ATT&CK Technique(s):
 	#    T1016 System Network Configuration Discovery
-	#    T1018 Remote System Discovery 
-	#    T1033 System Owner/User Discovery 
-	#    T1069 Permission Groups Discovery 
+	#    T1018 Remote System Discovery
+	#    T1033 System Owner/User Discovery
+	#    T1069 Permission Groups Discovery
 	#    T1082 System Information Discovery
 	#    T1083 File & Directory Discovery
 	#    T1087 Account Discovery
 	#    T1124 System Time Discovery
 	#    T1135 Network Share Discovery
 	#
 	# Relevant Indicator(s) Detected by Bro/Zeek:
-	#    (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
+	#    (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains
 	#        any of the following: (see BZAR::rpc_dicsovery set).
 	#
 	# Globals (defined in main.bro above):
@@ -212,7 +222,7 @@ event bro_init()
 		{
 			return result["attack_discovery"]$sum;
 		},
-		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) = 
+		$threshold_crossed(key:SumStats::Key, result:SumStats::Result) =
 		{
 			local s = fmt("Detected activity from host %s, total attempts %.0f within timeframe %s", key$host, result["attack_discovery"]$sum, bzar3_epoch);